Local in policy UDP traffic: 0,137,138

Hi

1. I am having trouble identifying the traffic that is taking place on UDP ports 137 and 138 on some hosts in my network. In the Fortigate logs they look like this:

date="2023-03-31" time="09:43:53" id=7216628389765971970 bid=5122846 dvid=1043 itime=1680252233 euid=102 epid=102 dsteuid=102 dstepid=102 logflag=103 logver=702041396 type="traffic" subtype="local" level="notice" action="deny" policyid=0 sessionid=10001414 srcip="IP_HOST" dstip="BROADCAST_ADDRESS" srcport=137 dstport=137 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid="0001000014" srcname="HOST_NAME" service="udp/137" app="netbios forward" appcat="unscanned" srcintfrole="lan" dstintfrole="undefined" srcserver=0 policytype="local-in-policy" eventtime=1680252233039724380 srcmac="HOST_MAC" mastersrcmac="HOST_MAC" srchwvendor="Dell" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="Reserved" srcintf="internal" dstintf="root" tz="+0200" devid="FGT60FXXXXXXXXX" vd="root" devname="FG_NAME"

date="2023-03-31" time="09:14:35" id=7216620843508432896 bid=5122479 dvid=1043 itime=1680250476 euid=102 epid=102 dsteuid=102 dstepid=102 logflag=103 logver=702041396 type="traffic" subtype="local" level="notice" action="deny" policyid=0 sessionid=9992926 srcip="IP_HOST" dstip="BROADCAST_ADDRESS" srcport=138 dstport=138 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid="0001000014" srcname="HOST_NAME" service="udp/138" app="netbios forward" appcat="unscanned" srcintfrole="lan" dstintfrole="undefined" srcserver=0 policytype="local-in-policy" eventtime=1680250474612850760 srcmac="HOST_MAC" mastersrcmac="HOST_MAC" srchwvendor="HP" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="Reserved" srcintf="internal" dstintf="root" tz="+0200" devid="FGT60FXXXXXXXXXX" vd="root" devname="FG_NAME"

I know, of course, that this is NetBIOS communication used in file and printer sharing in Windows. However, I don't really know how to identify its source on a given host. On some hosts it is present and on others it is not.

2. Sometimes there is also blocked network traffic on FG, visible in the logs as UDP/0, e.g.:

date="2023-03-30" time="13:47:02" id=7216319963869478927 bid=5107844 dvid=1043 itime=1680180422 euid=102 epid=102 dsteuid=102 dstepid=102 logflag=103 logver=702041396 type="traffic" subtype="local" level="notice" action="deny" policyid=0 sessionid=9747672 srcip="IP_HOST" dstip="IP_GATEWAY (FG)" srcport=49427 dstport=0 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid="0001000014" srcname="HOST_NAME" service="udp/0" app="Local Switch Controller" appcat="unscanned" srcintfrole="lan" dstintfrole="undefined" srcserver=0 policytype="local-in-policy" eventtime=1680180422197293000 crscore=5 craction=262144 crlevel="low" srcmac="HOST_MAC" mastersrcmac="HOST_MAC" srchwvendor="Dell" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="Reserved" srcintf="internal" dstintf="root" threatwgts="{5}" threatcnts="{1}" threatlvls="{1}" threats="{failed-connection}" threattyps="{failed-connection}" tz="+0200" devid="FGT60FXXXXXXXXX" vd="root" devname="FG_NAME"

I'm looking but I don't know what it could be...

Any ideas?